Method for establishing a security association between two or more computers communicating via an interconnected computer network

ABSTRACT

A method for establishing a secure communication channel for information flow between two or more computers communicating via an interconnected computer network, and a system for implementing the method, in response to receiving a security association data structure from one of the computers. The received security association data structure is stored in a memory region having a specific memory address value, and the specific memory address value is assigned as the security parameter index value associated with the received inbound security association data structure. Additionally, a method of processing information received over a previously established secure communication channel, and a system for implementing the method, in response to receiving a data packet that includes an encrypted data portion, and a header portion that includes a security parameter index value. A memory region is located using the security parameter index value as an address pointer. The encrypted data portion of the received data packet is then processed based on a security association data structure stored in the located memory region.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The present invention relates to a method for establishing securecommunications via an interconnected computer network and, moreparticularly, to a method for establishing a security associationbetween computers that are communicating, or desire to communicate, viathe interconnected computer network.

[0003] 2. Description of Related Art

[0004] Data that is transferred over an interconnected computer network,such as the Internet, is susceptible to various forms of attack. Theseattacks may result in such things as loss of privacy, loss of dataintegrity, identity theft, denial of service, or any combination ofthese attacks. The ever-expanding popularity of the Internet for securecommunications, e-commerce, and various other transactions, has led tothe need to ensure communications over non-secure interconnectedcomputer networks like the Internet are secure from such attacks.

[0005] In order to address the above-mentioned concerns, the so-called“Internet Engineering Task Force” (IETF) developed a framework of openstandards for ensuring the confidentiality, integrity, and authenticityof private communications over the Internet. This standards framework isknown in the art as the Internet Security Protocol, or “IPSec.” IPSecprovides security services at the IP layer of a system, and allows asystem to select required security protocols, determine the algorithm(s)used to secure data, and implement any cryptographic keys required toprovide the security services. Because these security services areimplemented within the IP layer, the IPSec services may be used by anyhigher layer protocol, such as TCP (Transmission Control Protocol), UDP(User Datagram Protocol), ICMP (Internet Control Message Protocol), BGP(Border Gateway Protocol), or various other protocols known in the art.IPSec can be used to establish one or more secure communication channelsbetween host computers, between security gateways, such as a router orfirewall, or between hosts and security gateways.

[0006] As is known, IP data traverses an interconnected computer networkas discrete data packets, colloquially referred to as IP datagrams.IPSec provides a new set of IPSec headers that are added to IPdatagrams. The new IPSec headers, among other things, provideinformation regarding the security protocols that are used to secure theIP datagram payload as it traverses an interconnected computer network.These security protocols are known as the Authentication Header (AH) andEncapsulating Security Payload (ESP). The AH security protocol providesconnectionless integrity, data origin authentication, and an optionalanti-replay service, and is generally represented using protocol number51. The ESP security protocol provides confidentiality, integrity, dataorigin authentication, and anti-replay services, and is generallyrepresented using protocol number 50. The AH and ESP protocols can beused independently or in combination with each other to provide adesired set of security services.

[0007] Fundamental to the use and understanding of IPSec is the SecurityAssociation (SA). In general, an SA is a relationship between two ormore devices that describe how the devices will use IPSec's securityservices to securely communicate with each other. An SA isunidirectional. Hence, to secure bi-directional communication channelsbetween two nodes in an interconnected computer network, two SAs arerequired, one for each direction. These individual secure communicationchannels are generally referred to as an “inbound tunnel” and an“outbound tunnel,” where one device's inbound tunnel is the otherdevice's outbound tunnel, and vice-versa.

[0008] An SA is uniquely identified by a “triple” that consists ofpredetermined data fields. Specifically, the triple consists of an IPDestination Address, an IPSec security protocol, and a SecurityParameter Index (SPI). The IP Destination Address data field, as itconnotes, specifies the IP address of the intended recipient. The IPSecsecurity protocol data field specifies the security protocol that thedevices have agreed upon implementing (e.g., AH=51, or ESP=50). The SPIis a randomly generated 32-bit value that distinguishes among differentSecurity Associations established at the same destination address andusing the same IPSec security protocol.

[0009] Each device that is intercommunicating over the non-securenetwork specifies the SPI value that the other devices should use whencommunicating to it over its inbound tunnel. For example, when twodevices are establishing an SA, the first device will request an SPIvalue from the second device. The second device will then provide thefirst device with an SPI value. Thereafter, the first device willinclude the SPI value in the IPSec header when transmitting secure dataover the first device's outbound tunnel, which is also the seconddevice's inbound tunnel. As is known, an SA can be established eithermanually or automatically; however, in most instances an SA isestablished automatically using the Internet Key Exchange (IKE)processing software.

[0010] All active SAs of a device are stored within a centralizeddatabase, known as a Security Association Database (SAD). Thus, eachactive SA, both inbound and outbound, has an entry in the SAD. When onedevice sends an IP packet that requires IPSec protection, the devicereceiving the protected IP datagram will look to various portions of thedatagram and determine the destination address, security protocol, andSPI value. These three values are used to create a hash key, the resultof which is used to hash into the SAD. Thereafter, a linear search isconducted in the SAD until a match is found.

[0011] IPSec data transmission and processing is targeting higher andhigher data rates. For example, data rates on the order of OC-24, OC-48,OC-192, and even higher, are being implemented and/or targeted. Thepresent known methods of establishing and determining SAs for inboundIPSec traffic, especially at these higher data rates, becomes less andless efficient, due to the calculational overhead. Hence, there is aneed in the art for a method of efficiently establishing and determininginbound SAs, that does not require the calculational overhead, and thusprocessing time, associated with present methods.

SUMMARY OF THE INVENTION

[0012] The present invention provides a method and system forestablishing a secure communication channel for information flow betweentwo or more computers communicating via an interconnected computernetwork by assigning the memory address location of an inbound SA as theSPI value of the inbound SA.

[0013] In one aspect of the present invention, a method of establishinga secure communication channel for information flow between two or morecomputers communicating via an interconnected computer network includesthe step of receiving a security association data structure from one ormore computers via the interconnected computer network. The receivedsecurity association data structure is stored in a memory region havinga specific memory address associated therewith. The specific memoryaddress is assigned to a security parameter index value associated withthe received security association data structure.

[0014] In another aspect of the present invention, a method ofprocessing information received over a previously established securecommunication channel includes the step of receiving a data packet thatincludes at least an encrypted and/or authenticated data portion and oneor more header portions that include at least a security parameter indexvalue. A memory region is located using the security parameter indexvalue as an address pointer. And the encrypted and/or authenticated dataportion of the received data packet is processed based on a securityassociation data structure stored in the located memory region.

BRIEF DESCRIPTION OF THE DRAWINGS

[0015]FIG. 1 is a functional block diagram depicting various computerscommunicating over an interconnected computer network;

[0016]FIG. 2 depicts the general structure of an IP datagram;

[0017]FIG. 3 depicts the general structure of an inbound IPSec datagramfor tunnel mode operation;

[0018]FIG. 4 depicts the general structure of an inbound IPSec datagramfor transport mode operation;

[0019]FIG. 5 is a simplified graphic and schematic representation of asoftware stack and IPSec hardware components according to an embodimentof the present invention;

[0020]FIG. 6 depicts a process for assigning an Security Parameter Indexvalue to an inbound Security Association according to an embodiment ofthe present invention; and

[0021]FIG. 7 depicts a process for determining and locating anappropriate inbound Security Association for an inbound IPSec datagramaccording to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0022] A functional block diagram depicting various computer devicescommunicating over an interconnected computer network is depicted inFIG. 1. The system 100 depicts a first local network 102 coupled to asecond local network 104 via an external non-secure computer network106, such as the Internet. The first local network 102 includes aplurality of first individual computer workstations 108-1, 108-2, 108-3,. . . 108-N coupled to a first gateway computer 110, and the secondlocal network 104 includes a plurality of second individual computerworkstations 112-1, 112-2, 112-3, . . . 112-N coupled to a secondgateway computer 114. It will be appreciated that the system 100depicted in FIG. 1 is only exemplary of one embodiment, and that otherembodiments are encompassed by the present invention. For example, thesystem may include individual computer workstations coupled directly tothe Internet 106, or to the Internet 106 via a service provider.

[0023] As was noted above, data traverses the Internet 106 as IPdatagrams. An IP datagram 200, as depicted in FIG. 2, typically includesan IP header portion 202, an upper layer protocol (ULP) header 204, anda data payload 206. Examples of an inbound IPSec datagram, i.e., an IPdatagram subject to IPSec processing and received at its intendeddestination, are depicted in FIGS. 3 and 4 for tunnel mode and transportmode, respectively. As depicted therein, an IPSec datagram 300, 400includes an IP header portion 302, 402, an IPSec header portion 304,404, and an encrypted and/or authenticated payload portion 306, 406. TheIP header portion 302, 402 may be either a new IP header portion 302, ifoperating in IPSec tunnel mode (FIG. 3), or the original IP header 402of the unencrypted IP datagram 200, if operating in transport mode (FIG.4). The encrypted and/or authenticated payload portion 306, 406(represented by the diagonal lines) includes encrypted and/orauthenticated forms of the data payload portion 206 from the unencryptedIP datagram 200. And, if operating in tunnel mode, the encrypted and/orauthenticated payload portion 306 will also include an encrypted form ofthe original IP header portion 202 and upper layer protocol portion 204.Alternatively, in the transport mode, the original upper layer protocolportion 204 is included in its original form. The tunnel and transportoperational modes are known in the art, and are explained in detail inRFC 2401, “System Architecture for the Internet Protocol,” the entiretyof which is hereby incorporated by reference. The IPSec header portion304, 404 includes, among other things, the security protocol (e.g., AH,ESP, or both) 310, 410, and the Security Parameter Index (SPI) value312, 412. The remaining portion of the SA triple, the destinationaddress value 308, is included in the IP header portion 302, 402.

[0024] As a precursor to a more detailed discussion of the presentinvention, a general discussion of secure communications between twocomputers using IPSec will first be provided. In this regard, when theoperator of one of the first individual computer workstations, forexample 108-1, wants to communicate with the operator of one of thesecond individual computer workstations, for example 112-1, the operatorof the first individual computer workstation 108-1 sends data toward theoperator of the second individual computer workstation 112-1. As wasjust discussed above, the data is sent in the form of IPSec datagrams.The first gateway computer 110 receives the first IPSec datagram anddetermines whether an IPSec SA exists with the second gateway computer114. If not, then the first gateway computer 110 requests an IPSec SAfrom the second gateway computer 114, preferably via the Internet KeyExchange (IKE) software. The IKE software, as will be described in moredetail below, resides in a software stack within each of the first 110and second 114 gateway computers. The IKE software used may be any oneof various conventional IKE software packages known in the art. Samplesinclude, but are not limited to, IKE software licensed from Lucent® orSafeNet®.

[0025] If the first 110 and second 114 gateway computers already sharean IKE SA, then the IPSec SA can be created fairly quickly. If not, thenan IKE SA must first be established before an IPSec SA can beestablished. To establish an IKE SA, the first 110 and second 114gateway computers exchange digital certificates, which have beendigitally signed by a trusted third party certificate authority 115.Thereafter, when the IKE session becomes active, the first 110 andsecond 114 gateway computers can establish the IPSec SA.

[0026] In order to establish the IPSec SA, the first 110 and second 114gateway computers must agree upon an encryption algorithm, anauthentication algorithm, and have a shared session key. The first 110and second 114 gateway computers must also provide each other with theappropriate SPI value 310, 410 to include in the IPSec header portion304, 404. When this is done, the IPSec SA has been established, and thefirst 110 and second 114 gateway computers store the SA in respectiveSecurity Association Databases (SADs) 116, 118. As will be described inmore detail below, the SADs 116, 118 reside in a memory storage device.The memory storage device may be incorporated into the gateway computers110, 114 or, as depicted in FIG. 1, be physically separate therefrom.Thereafter, the first gateway computer 110 encrypts each IP datagram200, forms a new IPSec datagram 300, 400, and sends it to the secondgateway computer 114. When the second gateway computer 114 receives theIPSec datagram 300, 400, it looks up the IPSec SA in its SAD 118,properly processes the datagram, and forwards it to the secondindividual computer workstation 112-1.

[0027] Having generally described an IPSec datagram 300, 400, and how anIPSec SA is established and, once established, determined, a moredetailed description of the present invention will now be provided. Indoing so, reference should first be made to FIG. 5, which depicts asimplified graphic and schematic representation of a computer'sprocessor software stack coupled to an IPSec hardware device and memorystorage device. Again, the computer 500 may be a gateway or router, suchas the first 110 or second 114 gateway computers, or a stand-alonecomputer, such as the individual computer workstations 108-1, 108-2,108-3, . . . 108-N, 112-1, 112-2, 112-3, . . . 112-N. In any case, thecomputer's software stack 502 includes, at least, an IKE softwarecomponent 504, an IPSec memory management software component 506, and anIPSec hardware device driver 508. The software stack 502 is coupled toan IPSec hardware device 510 via a first communication bus 512. TheIPSec hardware device 510, which is coupled to receive IPSec datagramsvia a first input/output (I/O) bus 509 and output processed IP datapayloads via a second I/O bus 511, implements all of the necessary IPSecprocessing under the control of the various software components. TheIPSec hardware device 510 may be a general purpose microprocessor deviceor, in a preferred embodiment, is an application specific hardwaredevice (e.g., ASIC) designed specifically for IPSec implementation. Amemory storage device 514 is coupled to the IPSec hardware component 510via a second communication bus 516. The memory storage device 514includes a plurality of memory regions that comprise the SAD of thecomputer 500. The memory storage device 514 is similar to, and functionsthe same as, the SADs 116, 118 described above with reference to FIG. 1.Hence, although FIG. 5 depicts the memory storage device 514 as beingphysically included as a part of the computer 500, this is onlyexemplary of a preferred embodiment. It is to be appreciated that thememory storage device 514 may be physically separate from the computer500.

[0028] Referring now to FIG. 6 in combination with FIG. 5, the process600 for assigning an SPI value to an inbound SA will now be discussed.In this regard, the parenthetical references to “STEPs” correspond tothe particular reference numerals of the process flowchart depicted inFIG. 6. The process 600 begins when the IPSec hardware component 510receives an SA structure from an external non-secure network (e.g., theInternet) and determines that it needs to establish an inbound SA (STEP602). If so, this inbound SA structure is passed to the IKE softwarecomponent 504 (STEP 604). In response, the IKE software component 504will request, preferably via an application programmable interface(API), a 32-bit SPI value 312, 412 from the IPSec memory managementsoftware component 506. To accomplish this, the IKE software component504 passes the IPSec memory management software component 506 a copy ofthe received SA structure (STEP 606). The IPSec memory managementsoftware component 506 is responsible for partitioning the SAD in thememory storage device 514 and determining in which memory regions eachof the SAs reside. Hence, the IPSec memory management software component506, upon receipt of the SA structure from the IKE software component504, determines which memory region in the memory storage device 514will store the SA structure (STEP 608).

[0029] Each memory region in the memory storage device 514 is, as isgenerally known, indexed using a specific memory address value. In apreferred embodiment, each memory address value is 32-bits in length,which matches the standard bit length of an IPSec SPI value. Thus, thememory address value of the memory region that will store the SAstructure is assigned as the SPI value 312, 412 of the inbound SA (STEP610). The IPSec hardware device 510 then writes the inbound SA structureto the assigned memory region for storage (STEP 612), and the IPSecmemory management software passes the SPI value 312, 412 to the IKEsoftware component 504 (STEP 614), which maintains its own SA tables. Asis generally known in the art, the SA table entries within the IKEsoftware component 504 are used during IPSec SA “initial establishment”or “refresh” events. Hence, further discussion of these tables, which isnot critical to an understanding or the enablement of the presentinvention, will not be provided. The computer 500, via the IKE softwarecomponent 504, then transmits the assigned SPI value back to thecomputer that requested that the SA be established (STEP 616). Theprocess then ends (STEP 618).

[0030] Once the SPI value is assigned and the SA is established, theIPSec hardware device 510 is able to process inbound IPSec datagrams300, 400. The skilled artisan will appreciate that this processing isgenerally the same, whether operating in tunnel mode or transport mode.Turning now to FIG. 7, the process 700 that is carried out by the IPSechardware device 510 to determine and locate the appropriate SA for theinbound IPSec datagrams will be described. The process begins (STEP 702)when the IPSec hardware device 510 receives an inbound IPSec datagram300, 400 via the first I/O bus 509 (STEP 704). Upon receipt of the IPSecdatagram 300, 400, the IPSec hardware device 510 parses the IPSec header304, 404 to locate the SPI value 312, 412 (STEP 706). This SPI value isthen used to locate the memory region in the SAD that has the sameaddress value as the SPI value (STEP 708). The SA structure that isstored in that memory region is then used as the SA for the inboundIPSec datagram (STEP 710).

[0031] The present invention eliminates the need for elaborate and timeconsuming SAD table lookup algorithms, which result in costly memoryaccess times and complex lookup hardware. The present invention allowshigh-speed and efficient inbound SA lookup without significantlyimpacting memory access bandwidth.

[0032] While the invention has been described with reference to apreferred embodiment, it will be understood by those skilled in the artthat various changes may be made and equivalents may be substituted forelements thereof without departing from the scope of the invention. Inaddition, many modifications may be made to adapt to a particularsituation or material to the teachings of the invention withoutdeparting from the essential scope thereof. Therefore, it is intendedthat the invention not be limited to the particular embodiment disclosedas the best mode contemplated for carrying out this invention, but thatthe invention will include all embodiments falling within the scope ofthe appended claims.

We claim:
 1. A method of establishing a secure communication channel forinformation flow between two or more computers communicating via aninterconnected computer network, comprising: receiving a securityassociation data structure from one or more computers via theinterconnected computer network; storing the received securityassociation data structure in a memory region having a specific memoryaddress associated therewith; and assigning the specific memory addressto a security parameter index value associated with the receivedsecurity association data structure.
 2. The method of claim 1, furthercomprising: transmitting the security parameter index value to the oneor more computers from which the security association data structure wasreceived.
 3. The method of claim 1, wherein the specific memory addressand the security parameter index value, are both 32 bit values.
 4. Themethod of claim 1, wherein the received security association datastructure is stored in a security association database that includesother security association data structures.
 5. The method of claim 1,wherein the received security association data structure comprises anetwork destination address value and a security protocol identifier. 6.A method of establishing a secure communication channel for informationflow between two or more computers communicating via an interconnectedcomputer network, comprising: receiving a security association datastructure from one or more computers via the interconnected computernetwork; storing the received security association data structure in amemory region having a specific memory address associated therewith;assigning the specific memory address to a security parameter indexvalue; and transmitting the security parameter index value to the one ormore computers from which the security association data structure wasreceived.
 7. The method of claim 6, wherein the specific memory addressand the security parameter index value, are both 32 bit values.
 8. Themethod of claim 6, wherein the received security association datastructure is stored in a security association database that includesother security association data structures.
 9. A method of processinginformation received over a previously established secure communicationchannel, the method comprising: receiving a data packet that includes atleast an encrypted and/or authenticated data portion and one or moreheader portions, the one or more header portions including at least asecurity parameter index value; locating a memory region using thesecurity parameter index value as an address pointer; and processing theencrypted and/or authenticated data portion of the received data packetbased on a security association data structure stored in the locatedmemory region.
 10. The method of claim 9, wherein the one or more headerportions of the data packet and the security association data structureeach further includes a network destination address value, and whereinthe method further comprises: prior to processing the encrypted and/orauthenticated data portion, determining whether the network destinationaddress value in the one or more header portions matches the networkdestination address value in the security association data structurestored in the located memory region.
 11. The method of claim 9, whereinthe security parameter index value is a 32 bit value.
 12. The method ofclaim 9, wherein the located memory region is part of a securityassociation database that includes other memory regions that store othersecurity association data structures.
 13. The method of claim 9,wherein: the security association data structure stored in the locatedmemory address includes a security protocol identifier; and theprocessing of the encrypted and/or authenticated data portion includesdecrypting and/or authenticating the encrypted and/or authenticated dataportion based on a security protocol that is identified by the securityprotocol identifier.
 14. The method of claim 13, wherein the one or moreheader portions of the received data packet further includes a securityprotocol identifier, and wherein the method further comprises: prior toprocessing the encrypted and/or authenticated data portion, determiningwhether the security protocol identifier in the one or more headerportions matches the security protocol identifier in the securityassociation data structure stored in the located memory region.
 15. Amethod of processing information received over a previously establishedsecure communication channel, the method comprising: receiving a datapacket that includes at least an encrypted and/or authenticated dataportion and a one or more header portions, the one or more headerportions including at least a security parameter index value and anetwork destination address value; locating a memory region using thesecurity parameter index value as an address pointer; determiningwhether the network destination address value in the header portionmatches a network destination address of a security association datastructure stored in the located memory region; and in response to thedetermination that the network destination address values match,processing the encrypted and/or authenticated data portion of thereceived data packet based on the security association data structurestored in the located memory region.
 16. The method of claim 15, whereinthe security parameter index value is a 32 bit value.
 17. The method ofclaim 15, wherein the located memory region is part of a securityassociation database that includes other memory regions that store othersecurity association data structures.
 18. The method of claim 15,wherein: the security association data structure stored in the locatedmemory address includes a security protocol identifier; and theprocessing of the encrypted and/or authenticated data portion includesdecrypting and/or authenticating the encrypted and/or authenticated dataportion based on a security protocol that is identified using thesecurity protocol identifier.
 19. The method of claim 18, wherein theone or more header portions of the received data packet further includesa security protocol identifier, and wherein the method furthercomprises: prior to processing the encrypted and/or authenticated dataportion, determining that the security protocol identifier in the one ormore header portion matches the security protocol identifier in thesecurity association data structure stored in the located memory region.20. A method of processing information received over a previouslyestablished secure communication channel, the method comprising:receiving a data packet that includes at least an encrypted and/or anauthenticated data portion and one or more header portions, the one ormore header portions including at least a security parameter indexvalue, a network destination address value, and a security protocolidentifier; locating a memory region using the security parameter indexvalue as an address pointer; determining whether the network destinationaddress value and the security protocol identifier in the one or moreheader portions each match a network destination address value and asecurity protocol identifier in a security association data structurestored in the located memory region; and in response to thedetermination that the network destination addresses values and securityprotocol identifiers both match, processing the encrypted and/orauthenticated data portion of the received data packet based on thesecurity protocol in the security association data structure stored inthe located memory region.
 21. A method of determining an appropriatesecurity association for an encrypted data packet received by a firstcomputer over a previously established secure communication channel inan interconnected computer network, the method comprising: parsing asecurity parameter index value from a header portion of the receiveddata packet; locating a memory region having an address that matches thesecurity parameter index value; and implementing a security associationbased on a security association data structure that is stored in thelocated memory region.
 22. The method of claim 21, wherein the headerportion of the received data packet and the security association datastructure each further include a network destination address value, andwherein the method further comprises: prior to implementing the securityassociation, determining that the network destination address value inthe header portion matches the network destination address value in thesecurity association data structure.
 23. The method of claim 21, whereinthe security parameter index value is a 32 bit value.
 24. The method ofclaim 21, wherein the located memory region is part of a securityassociation database that includes other memory regions that store othersecurity association data structures.
 25. The method of claim 21,wherein the header portion of the received data packet and the securityassociation data structure each further include a security protocolidentifier, and wherein the method further comprises: prior toimplementing the security association, determining that the securityprotocol identifier in the header portion matches the security protocolidentifier in the security association data structure stored in thelocated memory region.
 26. The method of claim 25, further comprising:processing the received data packet based on the security protocol. 27.A method of determining an appropriate security association for anencrypted and/or authenticated data packet received by a first computerover a previously established secure communication channel in aninterconnected computer network, the method comprising: parsing asecurity parameter index value and a destination address value from aheader portion of the received data packet; locating a memory regionhaving an address that matches the security parameter index value;determining whether the network destination address value in the headerportion matches a network destination address value in a securityassociation data structure that is stored in the located memory address;and in response to the determination that the network destinationaddress values match, implementing a security association based on thesecurity association data structure that is stored in the located memoryregion.
 28. The method of claim 27, wherein the security parameter indexvalue is a 32 bit value.
 29. The method of claim 27, wherein the locatedmemory region is part of a security association database that includesother security association data structures.
 30. The method of claim 27,wherein the header portion of the received data packet and the securityassociation data structure each further include a security protocolidentifier, and wherein the method further comprises: prior toimplementing the security association, determining that the securityprotocol identifier in the header portion matches the security protocolidentifier in the security association data structure stored in thelocated memory region.
 31. The method of claim 30, further comprising:processing the received data packet based on the security protocol. 32.A method of determining an appropriate security association for anencrypted and/or authenticated data packet received by a first computerover a previously established secure communication channel in aninterconnected computer network, the method comprising: parsing asecurity parameter index value, a destination address value, and asecurity protocol identifier from a header portion of the received datapacket; locating a memory region having an address that matches thesecurity parameter index value; determining whether the networkdestination address value and the security protocol identifier in theheader portion match a network destination address value and a securityprotocol identifier in a security association data structure that isstored in the located memory address; and in response to thedetermination that the network destination address values and securityprotocol identifiers match, implementing a security association based onthe security association data structure that is stored in the locatedmemory region.
 33. The method of claim 32, wherein the securityparameter index value is a 32 bit value.
 34. The method of claim 32,wherein the located memory region is part of a security associationdatabase that includes other security associations.
 35. The method ofclaim 32, further comprising: processing the received data packet basedon the security protocol.
 36. A computer-readable medium containingcomputer executable code for instructing a computer to establish asecure communication channel for information flow between one or moreother computers communicating via an interconnected computer network,the instructions comprising: receiving a security association datastructure from one or more computers via the interconnected computernetwork; storing the received security association data structure in amemory region having a specific memory address associated therewith; andassigning the specific memory address to a security parameter indexvalue associated with the received security association data structure.37. A computer-readable medium containing computer executable code forinstructing a computer to process information received over a previouslyestablished secure communication channel, the instructions comprising:receiving a data packet that includes at least an encrypted and/orauthenticated data portion and a header portion, the header portionincluding at least a security parameter index value; locating a memoryregion using the security parameter index value as an address pointer;and processing the encrypted and/or authenticated data portion of thereceived data packet based on a security association data structurestored in the located memory region.